From: Steve French <smfrench@gmail.com>
To: abrosich@inogs.it
Cc: CIFS <linux-cifs@vger.kernel.org>
Subject: Re: Permission denied mounting a DFS share with multiuser options
Date: Tue, 3 Dec 2019 16:16:29 -0600 [thread overview]
Message-ID: <CAH2r5mu5dedRmPQzRUH=E87J2txsBv3DiFYZLT-a_xYay=2czA@mail.gmail.com> (raw)
In-Reply-To: <5a987faff74646e68207e26e570a708669dd4103.camel@inogs.it>
Have you experimented with a newer kernel (e.g. Ubuntu 19 or the
download from the Ubuntu mainline kernel download site) to see if some
of Paulo's DFS fixes (e.g. a large set went in last year) help.
On Wed, Nov 27, 2019 at 6:20 AM <abrosich@inogs.it> wrote:
>
>
> Hello,
>
> I'm trying to configure a linux client (Unubtu 18.04.3) to mount a DFS
> share from a windows server 2019. Both machines are joined in the same
> Active Directory domain. I joined the linux client using the "realm"
> command and it works fine: for example I can login with ssh using AD
> credentials.
>
> The package cifs-utils is version 6.8.
>
> I start by saying that I have a little konwledge of the windows world
> and in particular of SMB, hence my question could by silly but I
> searched for days without find any solution.
>
> I found the following entries in the krb5.conf file (I suppose added by
> "realm" coomand):
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-crc)
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (des-cbc-md5)
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (arcfour-hmac)
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes128-cts-hmac-
> sha1-96)
> 3 11/11/19 08:54:09 host/LINUXCLIENT@AD.DOMAIN (aes256-cts-hmac-
> sha1-96)
> 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-crc)
> 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (des-cbc-md5)
> 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (arcfour-hmac)
> 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes128-cts-hmac-
> sha1-96)
> 3 11/11/19 08:54:09 host/linuxclient@AD.DOMAIN (aes256-cts-hmac-
> sha1-96)
>
> I created on the Domain Controller a user principal "linuxclientuser-
> cifs" and associated to it an SPN "cifs/linuxclient.fqdn@AD.DOMAIN". I
> exported the keytab file and added it in krb5.keytab where I have now
> the followind entries:
>
> 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-crc)
> 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (des-cbc-md5)
> 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (arcfour-hmac)
> 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes256-cts-
> hmac-sha1-96)
> 3 11/12/19 12:50:59 cifs/linuxclient.fqdn@AD.DOMAIN (aes128-cts-
> hmac-sha1-96)
>
>
> I use the following command to mount the share:
> sudo mount --verbose --types cifs //winsrv/CifsShare /mnt/cifs --
> options
> sec=krb5,multiuser,vers=3,user=cifs/linuxclient.fqdn,domain=AD.DOMAIN
>
> and the response is: "mount error(13): Permission denied"
>
> Looking at logs I find:
> Nov 27 13:07:18 linuxclient cifs.upcall: key description:
> cifs.spnego;0;0;39010000;ver=0x2;host=winsrv;ip4=XXX.XXX.XXX.XXX;sec=kr
> b5;uid=0x0;creduid=0x0;user=cifs/linuxclient.fqdn;pid=0x6ac
> Nov 27 13:07:18 linuxclient cifs.upcall: ver=2
> Nov 27 13:07:18 linuxclient cifs.upcall: host=winsrv
> Nov 27 13:07:18 linuxclient cifs.upcall: ip=XXX.XXX.XXX.XXX
> Nov 27 13:07:18 linuxclient cifs.upcall: sec=1
> Nov 27 13:07:18 linuxclient cifs.upcall: uid=0
> Nov 27 13:07:18 linuxclient cifs.upcall: creduid=0
> Nov 27 13:07:18 linuxclient cifs.upcall: user=cifs/linuxclient.fqdn
> Nov 27 13:07:18 linuxclient cifs.upcall: pid=1708
> Nov 27 13:07:18 linuxclient cifs.upcall:
> get_cachename_from_process_env: pid == 0
> Nov 27 13:07:18 linuxclient cifs.upcall: get_existing_cc: default
> ccache is FILE:/tmp/krb5cc_0
> Nov 27 13:07:18 linuxclient cifs.upcall: get_tgt_time: unable to get
> principal
> Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: getting
> service ticket for winsrv
> Nov 27 13:07:18 linuxclient cifs.upcall: handle_krb5_mech: obtained
> service ticket
> Nov 27 13:07:18 linuxclient cifs.upcall: Exit status 0
>
>
> where it says that it get the service ticket (I can see it sniffing
> packets with wireshark) but it is "unable to get principal". Which
> principal?
>
> On the server side I have the following error:
>
> A process has requested access to an object, but has not been granted
> those access rights. (0xC0000022)
> SPN: session setup failed before the SPN could be queried
> SPN Validation Policy: SPN optional / no validation
>
>
> What I'm doing wrong?
>
> Any suggest is welcome.
>
> Best regards
>
> Alberto
>
>
--
Thanks,
Steve
next prev parent reply other threads:[~2019-12-03 22:16 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-27 12:20 Permission denied mounting a DFS share with multiuser options abrosich
2019-12-03 22:16 ` Steve French [this message]
2020-03-02 14:11 ` abrosich
2020-03-02 16:19 ` Paulo Alcantara
2020-03-03 15:40 ` abrosich
2020-03-04 9:17 ` abrosich
2020-03-04 21:11 ` Steve French
2020-03-05 15:07 ` abrosich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH2r5mu5dedRmPQzRUH=E87J2txsBv3DiFYZLT-a_xYay=2czA@mail.gmail.com' \
--to=smfrench@gmail.com \
--cc=abrosich@inogs.it \
--cc=linux-cifs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).